What is Log4j? A crucial bit of software ‘used across the entire internet' that is now vulnerable

Yahoo Finance Video
0

Yahoo Finance's Dan Howley breaks down what Log4j is all about and how it can impact internet security.

Video Transcript

[MUSIC PLAYING]

- Well, if you have used Apple's cloud service or played Minecraft, chances are you've encountered the software known as LOG4J. Now the Department of Homeland Security officials are saying a flaw in the software could have widespread security implications. Let's bring in Yahoo Finance's Dan Howley with this week's Tech Support. And, Dan, you know, a lot of people looking at this saying, well, what-- what is LOG4J? But there's a lot of services that run on it. What's-- what's the big risk right now that we're hearing from with officials?

DAN HOWLEY: So really, the big risk is that LOG4J is used basically across the entire internet. And the reason why this is a problem is because of how the software can be exploited. So let me start from the beginning. Basically, LOG4J is a piece of software that developers use for logging incidents on apps or programs.

So if there's an issue where, you know, a program crashes or there's bugs, they want to get that information back so they can improve their software. And everybody does this. You know, I mean, it's a common practice. It's how we get software improvements. So this is part of the Apache Software Foundation. It's an open source. It's-- that's why it's so popular. It's well-respected.

But this logging piece of software in particular has a flaw that would allow attackers to go in and essentially take remote control over any system using it. Now we don't have to worry about it on our individual computers because we just don't use it. This is something that large online services use.

But because so many use them, we're impacted downstream. Now let me just, kind of, give you an idea of what this means. It really could be used, according to the experts that I spoke to, by attackers to access, say, for instance, a major-- major banking institution. They could use this software, insert themselves into this banking institution's networks, and then essentially act like they're on the network.

And they can take-- take information from the network. They can steal user data, basically run amok if they want. They could do this with email services if they want. The other issues are the fact that this can then translate into real-world harm not just through, obviously, the problems that can happen with banking institutions and issues there.

But one professor I spoke to said that, look, if there's a generator connected to your network, you can then take control of that computer and disable that generator. So it can have issues with actual infrastructure. A chemical plant, you can cause issues at chemical plants. So things like that are really what the problem is here.

Now the other issue is that they're already starting to see exploits used from this flaw. Now Microsoft has said that they've seen countries ranging from Iran to Turkey to North Korea to China looking at potential ways to figure out how to use this to speed up the use of other types of cyber attacks.

And they've seen that from the likes of China, and North Kor-- sorry, China and Iran already, where they have cyber weapons that they already have. They're using this flaw to make them even more powerful so that they can get access to systems. Now there is a patch available. So whenever there's an issue like this, any company will release a patch.

But here's the thing about cybersecurity. It's not like filling a hole in a wall after you, you know, dent it or something like that, that you can do real quick. This is something that takes a long time. Because any time you introduce a new piece of software to these sprawling networks, you have to make sure that it's not going to cause an issue with that existing network.

So companies have to test it, make sure it works well. And then some companies, no joke, are just straight up lazy. And they don't use the proper cybersecurity practices. And you would think that that's something that would be top of mind for any company at this point in time, especially after what we've seen in the past couple of years. But it's not always. So those are some of the-- the real issues.

I think for most companies, what we're going to end up seeing is deploying the patches over time. And hopefully, they'll be installed by the time some additional issues can't come up. But we've already seen, according to Microsoft, some attackers trying to install crypto miners on systems, trying to steal email information and things along those lines. So I-- I do think that this is going to continue to be an issue for some time. If any company doesn't patch their systems, then they're basically playing with fire at this point.

- Yeah, it's been interesting to watch, kind of, the different levels of responses. And obviously, wouldn't want to be the IT guy who doesn't have a team to, kind of, get right on this one. But Dan Howley bringing us the latest there on the cybersecurity front. Appreciate that.

Advertisement

Recommended Stories